davidak/minimal-target-container-configuration.nix

## minimal-target-container-configuration.nix
{ config, lib, pkgs, ... }:

{ #boot.isContainer = true;
  networking.useDHCP = lib.mkForce true;
  networking.firewall.enable = false;

  services = {
    openssh.enable = true;
    dnsmasq.enable = true;
    nginx.enable = true;
  };

  users.users.admin = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    password = "admin";
  };

  # disable documentation to speed up build
  documentation.doc.enable = false;
  documentation.enable = false;
  documentation.info.enable = false;
  documentation.man.enable = false;
  documentation.nixos.enable = false;
}

## targets-image-configuration.nix
{ config, pkgs, lib, ... }:

with lib;

let
  targetConfig = import ../minimal-target-container/configuration.nix;
  target = {
    autoStart = true;
    timeoutStartSec = "60m";
    config = {
      imports = [ targetConfig ];
      # prevent nixpkgs to get evaluated multiple times
      # workaround for https://github.com/NixOS/nixpkgs/issues/65690
      nixpkgs.pkgs = lib.mkForce pkgs;
    };
    privateNetwork = true;
    hostBridge = "br0";
  };
in
{
  boot = {
    # Copy System to Ramdisk
    kernelParams = [ "copytoram=1" ];
  };

  # raise limits to support many containers
  boot.kernel.sysctl = {
    # Fix "Failed to allocate directory watch: Too many open files"
    # or "Insufficent watch descriptors available."
    "fs.inotify.max_user_instances" = 8192;
    #"kern.maxprocperuid" = 65536;
    #"kern.maxproc" = 65536;
    # Fix full PIDs, check with `lsof -n -l | wc -l` (default 32768)
    "kernel.pid_max" = 4194303; # 64-bit max
  };

  networking = {
    hostName = "targets-host";

    # eth0 as first interface is more predictable to me than some random string
    usePredictableInterfaceNames = false;

    bridges = {
      br0 = {
        interfaces = [ "eth0" ];
      };
    };

    firewall = {
      enable = true;
      allowPing = true;
      allowedTCPPorts = [ 19999 ];
      allowedUDPPorts = [];
    };

    useDHCP = true;
  };

  containers = {
    # some magic code that is the equivalent to
    # target1 = target;
    # target2 = target;
    # ...
  } // attrsets.genAttrs (map (i: "target${toString i}") (lists.range 1 200)) (_: target);

  services.openssh = {
    enable = true;
    startWhenNeeded = true;
  };

  users.users.root = {
    password = "root";
    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9e5B6doLlyFeBJIs2LpJA938HK2/jyITbtD7+xZ5Vw dkleuker" ];
  };

  # Monitoring
  services.netdata = {
    enable = true;
    config = {
      global = {
        "default port" = "19999";
        "bind to" = "*";
        # 1 day
        "history" = "86400";
        "error log" = "syslog";
        "debug log" = "syslog";
      };
    };
  };
  systemd.enableCgroupAccounting = true;

  # Packages
  environment.systemPackages = with pkgs; [ htop micro ];

  # disable documentation to speed up build
  documentation.doc.enable = false;
  documentation.enable = false;
  documentation.info.enable = false;
  documentation.man.enable = false;
  documentation.nixos.enable = false;

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "19.03"; # Did you read the comment?
}

## targets-image.md

      
    Raw
  

              targets-image.md
            
          
    targets-image

Host for GVM scan targets as live CD image.
Usage

Create image

This command builds an ISO image and output the path.
nixos-generate -I nixpkgs=https://releases.nixos.org/nixos/19.03/nixos-19.03.173391.0715f2f1a9b/nixexprs.tar.xz -c /home/davidak/code/nixos-config-greenbone/machines/targets-image/configuration.nix -f iso

Set the path of the configuration.nix on your system with -c.
The package definitions (nixpkgs) are pinned to a specific release, so the result is always reproducible.
You need the Nix package manager and nixos-generators for this.
Create bootable USB-Drive

Just use dd or your preferred tool to create a bootable USB-Drive.
sudo dd if=/nix/store/04psn9kk5b7c8pijvpyi331p21szd3jc-nixos.iso/iso/nixos.iso of=/dev/sdX

Use the actual name of your USB-Stick instead of /dev/sdX.
Be carefull with the device you specify since the command will overwrite all data on it!
Boot system

Just plug the USB-Drive into a computer and boot from it!
It will copy the whole system to a ramdisk, so you can unplug it when it's fully started.
You can connect to it with SSH: root:root
Containers


200 minimal target containers

They are automatically started at boot. The complete start take about 7 minutes on an Intel NUC with i5.
Use this command to get the IPs of the containers:
for i in $(nixos-container list); do nixos-container run $i -- ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | tr '\n' ','; done

It outputs a comma separated list that you can put directly into a GSM scan target config!
Monitoring

Netdata: http://IP:19999
	{ config, lib, pkgs, ... }:

	{ #boot.isContainer = true;
	networking.useDHCP = lib.mkForce true;
	networking.firewall.enable = false;

	services = {
	openssh.enable = true;
	dnsmasq.enable = true;
	nginx.enable = true;
	};

	users.users.admin = {
	isNormalUser = true;
	extraGroups = [ "wheel" ];
	password = "admin";
	};

	# disable documentation to speed up build
	documentation.doc.enable = false;
	documentation.enable = false;
	documentation.info.enable = false;
	documentation.man.enable = false;
	documentation.nixos.enable = false;
	}
	{ config, pkgs, lib, ... }:

	with lib;

	let
	targetConfig = import ../minimal-target-container/configuration.nix;
	target = {
	autoStart = true;
	timeoutStartSec = "60m";
	config = {
	imports = [ targetConfig ];
	# prevent nixpkgs to get evaluated multiple times
	# workaround for https://github.com/NixOS/nixpkgs/issues/65690
	nixpkgs.pkgs = lib.mkForce pkgs;
	};
	privateNetwork = true;
	hostBridge = "br0";
	};
	in
	{
	boot = {
	# Copy System to Ramdisk
	kernelParams = [ "copytoram=1" ];
	};

	# raise limits to support many containers
	boot.kernel.sysctl = {
	# Fix "Failed to allocate directory watch: Too many open files"
	# or "Insufficent watch descriptors available."
	"fs.inotify.max_user_instances" = 8192;
	#"kern.maxprocperuid" = 65536;
	#"kern.maxproc" = 65536;
	# Fix full PIDs, check with `lsof -n -l \| wc -l` (default 32768)
	"kernel.pid_max" = 4194303; # 64-bit max
	};

	networking = {
	hostName = "targets-host";

	# eth0 as first interface is more predictable to me than some random string
	usePredictableInterfaceNames = false;

	bridges = {
	br0 = {
	interfaces = [ "eth0" ];
	};
	};

	firewall = {
	enable = true;
	allowPing = true;
	allowedTCPPorts = [ 19999 ];
	allowedUDPPorts = [];
	};

	useDHCP = true;
	};

	containers = {
	# some magic code that is the equivalent to
	# target1 = target;
	# target2 = target;
	# ...
	} // attrsets.genAttrs (map (i: "target${toString i}") (lists.range 1 200)) (_: target);

	services.openssh = {
	enable = true;
	startWhenNeeded = true;
	};

	users.users.root = {
	password = "root";
	openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9e5B6doLlyFeBJIs2LpJA938HK2/jyITbtD7+xZ5Vw dkleuker" ];
	};

	# Monitoring
	services.netdata = {
	enable = true;
	config = {
	global = {
	"default port" = "19999";
	"bind to" = "*";
	# 1 day
	"history" = "86400";
	"error log" = "syslog";
	"debug log" = "syslog";
	};
	};
	};
	systemd.enableCgroupAccounting = true;

	# Packages
	environment.systemPackages = with pkgs; [ htop micro ];

	# disable documentation to speed up build
	documentation.doc.enable = false;
	documentation.enable = false;
	documentation.info.enable = false;
	documentation.man.enable = false;
	documentation.nixos.enable = false;

	# This value determines the NixOS release with which your system is to be
	# compatible, in order to avoid breaking some software such as database
	# servers. You should change this only after NixOS release notes say you
	# should.
	system.stateVersion = "19.03"; # Did you read the comment?
	}